Pricing and Investments in Internet Security: A Cyber-Insurance Perspective

Internet users such as individuals and organizations are subject to different types of epidemic risks such as worms, viruses, spams, and botnets. To reduce the probability of risk, an Internet user generally invests in traditional security mechanisms like anti-virus and anti-spam software, sometimes also known as self-defense mechanisms. However, such software does not completely eliminate risk. Recent works have considered the problem of residual risk elimination by proposing the idea of cyber-insurance. In this regard, an important research problem is the analysis of optimal user self-defense investments and cyber-insurance contracts under the Internet environment. In this paper, we investigate two problems and their relationship: 1) analyzing optimal self-defense investments in the Internet, under optimal cyber-insurance coverage, where optimality is an insurer objective and 2) designing optimal cyber-insurance contracts for Internet users, where a contract is a (premium, coverage) pair. By the term ‘self-defense investment’, we mean the monetary-cum-precautionary cost that each user needs to invest in employing risk mitigating self-defense mechanisms, given that it is optimally insured by Internet insurance agencies. We propose 1) a general mathematical framework by which co-operative and non-co-operative Internet users can decide whether or not to invest in self-defense for ensuring both, individual and social welfare and 2) models to evaluate optimal cyber-insurance contracts in a single cyber-insurer setting. Our results show that co-operation amongst users results in more efficient self-defense investments than those in a non-cooperative setting, under full insurance coverage, in an ideal single insurer cyber-insurance market, whereas in non-ideal single insurer markets of non-cooperative users, partial insurance driven self-defense investments are optimal. We also show the existence of a cyber-insurance market in a single cyber-insurer scenario.